+1 This customisation seems like an excellent idea to include in Welcome not least because it really demonstrates how to customise auth. For public websites it is important to have strong defaults built-in. For intranets, it would be trivial to weaken this (e.g. comment out IS_STRONG or reduce length etc).
--